Cisco confirmed today that the Yanluo.com ransomware group breached its corporate network in late May and that the attackers attempted to blackmail them with the threat of leaking stolen files online.
The company revealed that attackers could only obtain and steal non-sensitive data from Box folders associated with infected employee accounts.
A Cisco spokesperson told BleepingComputer: “Cisco experienced a security incident on our corporate network in late May 2022 and we took immediate action to contain and root out the bad actor.”
“Cisco is not aware of any impact from this incident on our business, including Cisco products or services, sensitive customer data or sensitive employee information, intellectual property or supply chain operations.
“On August 10th, bad actors posted a list of files from this security incident to the dark web. We also took additional steps to protect our systems and shared technical details to help protect the wider security community.”
Stolen employee credentials used to compromise Cisco network
Yanluowang attackers used the employee’s stolen credentials to gain access to Cisco’s network after hijacking the employee’s personal Google account, which contained credentials synced from their browser.
Attackers persuaded Cisco employees to accept multi-factor authentication (MFA) push notifications through MFA fatigue and a series of sophisticated voice phishing attacks launched by a Yanluo gang impersonating a trusted support organization.
The threat actor ends up tricking the victim into accepting one of the MFA notifications and gaining access to the VPN in the context of the target user.
Once they gain a foothold on the company’s corporate network, Yanluo operators scale out to Citrix servers and domain controllers.
“They got into the Citrix environment, compromised a series of Citrix servers, and ended up gaining privileged access to the domain controller,” Cisco Talos said.
After obtaining domain administrators, they used enumeration tools such as ntdsutil, adfind, and secretsdump to gather more information and install a series of payloads on the infected system, including backdoors.
Ultimately, Cisco detected and expelled them from its environment, but they continued to try to regain access over the next few weeks.
“After gaining initial access, threat actors conduct a variety of activities to maintain access, minimize forensic artifacts, and increase their level of access to systems in the environment,” Cisco Talos added.
“The attackers were successfully removed from the environment and demonstrated persistence, with repeated attempts to regain access in the weeks following the attack; however, these attempts were unsuccessful.”
Hackers claim to steal data from Cisco
Last week, the threat actor behind the Cisco hack emailed BleepingComputer a directory listing of files allegedly stolen during the attack.
Threat actors claim to have stolen 2.75GB of data, including around 3,100 files. Many of these documents are nondisclosure agreements, data dumps, and engineering drawings.
Threat actors also sent a redacted NDA file stolen in the attack to BleepingComputer as evidence of the attack and “suggested” they compromised Cisco’s network and leaked the file.
Today, extortionists Declaring Cisco Breach on their data leak site and posted the same directory listing that was previously sent to BleepingComputer.
No ransomware deployed on Cisco systems
Cisco also said that while the Yanluo gang is known for encrypting victim files, it found no evidence of a ransomware payload during the attack.
“While we did not observe ransomware deployment in this attack, the TTP used is consistent with ‘pre-ransomware activity’, which is typically observed before ransomware is deployed in the victim environment,” Cisco Talos said in a statement. added in another blog post. Wednesday.
“We assess with medium to high confidence that this attack was carried out by an adversary previously identified as an Initial Access Broker (IAB) associated with the UNC2447 cybercrime gang, the Lapsus$ threat actor group, and the Yanluowang ransomware operator. “
The Yanluo gang also claimed to have recently breached the systems of Walmart, a US retailer that denied the attack, and told BleepingComputer that it found no evidence of a ransomware attack.
renew: Added more information about Yan capture activities within Cisco’s corporate network.